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IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 



In re application of: Gordon ct aL § 

Serial No.: 09/478^09 § 

Filed: January 6, 2000 § 

§ 

For: Method and Apparatus for § 

Securing a Cookie Cache in a Data § 

Processing System § 



35525 

PATENTT TRADEMARK OPnCB 
CUItTOMBR NUMBER 



Group Art Unit; 2135 
Examiner: Klimach, Paula W. 
Attorney Docket No.: AUS990809US1 



f Ccfftificate nf Transmission Untlfer 37 CF.R. fi XMa^ 

T hereby certify this coTTcspondencc is being tr^soiitted vin facsimile to 
the CaTnrTTi.ssicncr for Patents, P,0. Box 1450, Alexandria, VA 22313- 
1 fiwsimile number (57 1 > 273-8300 on July 1 8. 2005. ' 

Michele Morrow ! 



TRANSmTTAL DOCUMENT 

Commissioner for Patents 
P.O, Box 1450 
Alexandria, VA 22313-1450 

Sir: 

ENCLOSED HEREWITH; 

Reply Brief (37 C.F.R. 41.41). 



No fees are believed to be required. Tf, however, any fees ar^ required, I authorize the 
Commissioner to charge these fees which may be required to IBM Corporation Deposit Account No. 09- 
0447. No extension of time is believed to be necessary. If, however, an extension of time is required, the 
extension is r^uested, and I authorize the Commissioner to charge any fees for this extension to fflM 
Corporation Deposit Account No. 09-0447. 

Respectfully submitted 
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Francis Lammcs 
Respiration No, 55,353 
Agent for Applicants 

DukeW. Yee 
Registration No, 34,285 
Attorney for Apphcants 
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RECEIVED 
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JUL 1 8 2005 

IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 



In re application of: Cordon et al. § 

§ Group Art Unit: 2135 
Serial No, 09/478,309 § 

§ Examiner: Klimach, Paula W. 
Filed: January 6^ 2000 § 

§ 

For: Method and Apparatus for § 
Securing a Cookie Cache in a Data § 
Processing System § 



Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 22313-1450 



Certlfkate of Transmteslon irnder 37 C.F.R. S ^£(B\ 
T hereby certify this correspondence is being transmitted via 
facsimile to the Comrnissioncr for Patents, P.O. Box 1450, 
Alexandria, VA 22313-1450, facsimile number (571) 273-8300 
o7iJu)y ia,2005. 

By: jhtijUJU Ifhmmr- 

Mich etc Morrow 



REPLY BRIEF (37 C.F.R 41.41) 

This Reply Brief is submitted in response to the Examiner's Answer mailed on May 18, 2005. 

No fees are believed to be required to file a Reply Brief. Any required petition for extension of 
time for filing this brief and fees therefore, are dealt with in the accompanying TRANSMITTAL 
OF REPLY BRIER 
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GROUPING OF CLAIMS 



The Examiner's Answer states that Appellant's Brief does not contain a statenaent that the 

grouping of claims stand or Ml together. Appellants respectfidly submit that the Rules of Practice 

Before the Board of Patent Appeals and Interferences; Final Rule issued August 12, 2004, and 

adopted September 13, 2004, states: 

Section 4137 is added to generally incoiporate the requirements of former 
Rule 1 92. In addition, the following changes have been made: 

9) Hie grouping of claims requirement set forth in former Rule 192(cX7) is 
removed. The general purpose served by former Rule 192(c)(7) is addressed in § 
41 .37(c)(l)(viji). The existing grouping of claims requirement has led to many 
problems such as (i) Grouping of claims across multiple rejections (e,g,, claims 1-9 
rejected imder 35 U.S.C. 102 over A while claims 10^1 5 are rejected under 35 
U.S,C. 103 over A and the appellant states that claims 1-15 are grouped together); 
(ii) Claims being grouped together but argued separately (e.g., claims 1-9 rejected 
under 35 U.S.C. § 102 over A, the appellant groups claims 1-9 together but then 
argues the patentability of claims 1 and 5 separately); and (iii) examiners 
disagreeing with the appellant's grouping of claims. 

In this section, the Board of Patent Appeals and Interferences has stated that the grouping of claims 
is removed. Therefore, Appellants respectfully submit that Appellants' Brief is correct. 



RESPONSE TO EXAMINER^S REMARKS 



A. GROUND OF REJECTION (Claims 1-9, 17-29, and 37) 

In response to Appellants* assertion that Broadhurst does not teach or suggest storing and 

comparing both an identification of the requestor and an associated cookie, more specifically, 

Broadhurst does not store a copy of the cookie that is sent out and Broadhurst does not save the 

identification of the system to which a cookie is sent, the Examiner's Answer states: 

In reference to the stored cookie, the office action mailed out on 10/21/04 the 
examiner pointed out the modification necessary to Broadhurst in order to store the 
cookie and why it would be obvious. The rejection states: 
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"...Although Broadhur$t does not e?(pressly disclose storing the cookie, Broadhurst 
discloses storing the credentials that can be formed into a cookie (column 3 lines 
41-48)." 

This indication that even tliough the information for the cookie does not take the 
form of a cookie it is indeed stored in the directory. This makes the information, 
required toe form the cookie, available for transforming into the more identifiable 
form of a cookie. 

Further more Broadhurst discloses receiving the cookie in order to access the 
resource. This was stated in the office action maild on 10/21/04. 

. .Sending a first cookie to the requestor in response to the request, wherein the 
cookie is used to access the resource. (Fig. 2 part 108),'^ 

After receiving the above-mentioned cookie, the system of Broadhurst compares the 
cookie to the information stored in the directoty (this is the above mentioned 
information that is used to create the cookie) during the process of authentication 
(Fig. 2 part 1 12 and 1 14 in combination with column 4, lines 42-60). 

Appellants respectfully submit that it would not be obvious to modify Broadhurst in the manner 

described by the Examiner. The Examiner indicates that Broadhurst teaches this at column 3, lines 

41048, which reads as follows: 

For each user, the directory 1 6 stores information which allows the user's 
authentication information to be mapped into a network credential which includes a 
role of the user. The network credential can then be formed into a cookie. Once 
Jogged in and initially authenticated to the network, a user may freely access any of 
the applications allowed by the role. 

In this section, Broadhurst describes that a cookie is formed from a network credential which is a 
mapped version of the user's au±entication information. Thus, the Broadhurst cookie is the user's 
authentication information which is formed after the user's authentication information is received 
by the Broadhurst system (see column 3, lines 1 8-41). Appellants' claimed invention, of claims 1, 
21, and 35> recites "sending a first cookie to the requestor in response to the reqxiest, wherein the 
cookie is iised to access the resoxuce; and storing an identification of the requestor and the first 
cookie to form a stored identification and a stored cookie, wherein the identification of the 
requestor identifies a particular data processing system from which the request originated." Thus, 
Appellants' cookie is a resource access and is stored in addition to the identification of the 
requestor The Examiner clearly alleges that Appellants' identification of the requestor is 
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equivalent to the Broadhurst's user's authentication information (see Examiner* s Answer, page 7). 

Thus, Broadhurst only maintains the user's authentication information in the form of a cookie and 

does not store an identification of the requestor and the first cookie, which is sent to the requestor 

in response to the request and wherein the cookie is used to access the resource, to form a stored 

identification and a stored cookie. 

The Examiner further alleges that Broadhurst teaches receiving the cookie in order to 

access the resource at Figure 2, step 108, the description of which is as follows: 

If tbere is not yet a user cookie, one is created in step ] 06 by consulting the 
directory 1 6 to map the user's identity to an intermediate identity and a user role, 
which are used to form a network credential. If no mapping can be found between 
the user's local identity and a network credential, a "no-map** cookie is created to 
prevent repeated failed lookups. The user's network credential, including user role, 
is formed into a cookie by appending the identity of the user's terminal to the 
credential, and making a ciyptographic seal of the result. The cookie is then 
preferably encoded. As will be appreciated by those of ordinary skill in the art, a 
cookie is a message given to a web browser by a web server to record aspects of the 
interaction history between the browser and server, and which is stored by the web 
browser to fecilitate access to additional server resources. The coolde is preferably 
configured to disappear when the browser program is closed by the user. In step 
108, the cookie is returned to the browser, 

(Column 4, lines 21-39) 

As discussed above, and supported by this section of Broadhurst, the cookie created by Broadhurst, 

which is a map of the user's identity to an intermediate identity and a user role both of which are 

used to form a network credential, is not a cookie sent to the requestor in response to the request, 

wherein the cookie is used to access the resource separately from the identification of die recmestor . 

Thus, while the cookie of Broadhurst is sent to a browser, the cookie is the user's identity and role. 

In response to Appellants' assertion that there is no motivation to modify Broadhurst to 

store the cookie and identifier and to compare these to a received request in order to meet the 

claimed invention, the Examiner's Answer states: 

. . . The Examiner directs attention to Fig, 2 wherein the steps for authentication 
comprise both authentication of the user ID (Fig. 2 parts 100-102) and a valid 
cookie (Fig, 2 parts 1 12-1 14). Even if Broadhurst did not store user identity and 
cookie, Broadhurst does carry out authentication using the user identity and cookie 
and therefore is able to store this information. 
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As discussed previously, the cookie of Broadhurst is the user's identity formed into a cookie. The 
cookie of Broadhurst is not a resource access. In Figure 2, Broadhurst describes validating the 
user's identity (steps 100-102), mapping the identity and forming a cookie (steps 104-108), and 
using the identity cookie to access iniformation (steps 1 10-1 12). Broadhurst does not send a first 
cookie to the requestor in response to the request, wherein the cookie is used to access the resource, 
and store an identification of the requestor and the first cookie to form a stored identification and a 
stored cookie, wherein the identification of the requestor identifies a particular data processing 
system from which the request originated. Thus, there is not any incentive or motivation to 
modify Broadhurst to meet the claimed limitations. 

Appellants respectfully submit that Broadhurst fails to teach or suggest storing a copy of the 
cookie that is sent out and saving the identification of the system to which a cookie is sent Thus, 
Broadhurst does not teach or suggest storing and comparing both an identification of thejgQuestor 
and an associated cookie . Therefore, Broadhurst does not perform all of the inventive 
functionalities claimed by Appellants, 

B. GROUND OF REJECTION (Claim 18) 

In response to Appellants' assertion that Grantges docs not teach or suggest a server that 
sends a request to access a resource within the data processing system from which a cookie is 
generated. 

Tlie examiner would h*ke to redirect attention back to Broadhurst who inputs 
a request to access additional resources which may be associated with the user's 
initial server or a new server tn the network (column 3 lines 49-67), Thus, 
Broadhurst teaches that the requestor maybe a server. Therefore providing the 
direction to a proxy server as in Grantges. Further the Grantges reference discloses 
the proxy server creating a request (column 6, lines 47-5 1 . In addition, the 
appellant asserts that a cookie is given to a server, rather than to a browser. This is 
not persuasive because aldiough claim 18 does not claim the server receiving the 
cookie, a proxy in the system of Grantges stands between the server and the 
browser and therefore saves ad receives the cookie while mapping it to the identity 
of the browser. 

Appellants respectfully submit that Broadhurst docs not teach or suggest a server that sends a 
request to access a resource within the data processing system from which a cookie is generated. 

(Reply Brief Page 5 of 7) 
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The Examiner states that this feature is taught by Broadhurst at column 3, lines 49-67, which reads 
as follows: 

To access additional resources not included in the initial list, the user inputs a 
request to access additional resources, which may be associated with the user's 
initial server or a new server in ttie network. Access to the back end or external 
appHcation is achieved using a script (a series of contmatids which can be executed 
without user interaction) or other similar means accessible as a web server resource. 
The script is written by the system administrator, stored on the same host machine 
as the web server, and provides the login code for the server/application- The user 
name and password are not hardcoded into the script, but rather are stored in script 
access procedure variables (SV) having names chosen by the system administrator. 
The password values are preferably encrypted to enhance security. The S V*s are 
stor^ in a database which can be the directory 16 or another suitable database (such 
as database 19 associated with the server host 1 3) accessible to the server. 
According to an aspect of the present invention, in response to a user request 
through the browser, the script retrieves the SV value from the directoiy 16 based 
on an SV name contained in the script, the user's role and identity (contained in a 
cookie provided to the script). In this manner, the identity and password used by the 
user to access the third party application are determined by the user's role and 
individual identity. 

In this section^ Broadhurst describes a user request to gain access to additional resources that were 
not included in the initial request. The user requests to access the additional resources, which may 
be associated with the user's initial server or a new server in the network- Thus, the request is to 
gain access to a server that may be associated with the user's server or new. There is nothing in 
this section, or any other section of Broadhurst, that teaches or fairly suggest that a server that 
sends a request to access a resource within the data processing system from which a cookie is 
generated. 

Additionally, Appellants respectfully submit that Grantges does not teach or suggest a 

server that sends a request to access a resource within the data processing system from which a 

cookie is generated. The Examiner states that this feamre is taught by Grantges at column 6, lines 

47-51, which reads as follows: 

In response to DMZ proxy server 34's request to establish secure connection 
54, gateway proxy server 40 presents its X.509 digital certificate, and requests that 
DMZ proxy server 34 present its X.509 digital certificate by a return message. 
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In this section, Grantges is describing a proxy server's request to establish a secure connection. 
While Grantges may teach a server sending a request, the request is not to access a resoutx;e within 
the data processing system from which a cookie is generated. 

Appellants respectfully sxxbmit that Broadhurst and Grantges, taken alone or in 
combination, fail to teach or suggest a server that sends a request to access a resource within the 
data processing system fix)m which a cookie is generated- Thus, Broadhurst and Grantges, taken 
alone or in combination, do not perform all of the inventive functionalities claimed by Appellants. 



In view of the above, Appellants respectfully submit that claims 1-9, 17-29, and 37 are 
allowable over the cited prior art and that Ae application is, in condition for allowance. 
Accordingly, Appellant respectfully requests the Board of Patent Appeals and Interferences to 
not sustain the rejections set forth in the Final Office Action, 



CONCLUSION 




Francis Lammes 
Reg. No. 55,353 



Yee & ASSOaATES, P.C. 
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Dallas, TX 75380 
(972) 385-8777 
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